Practical Web Penetration Testing focuses on this very trend, teaching you how to conduct application security testing using real-life scenarios. You will then explore different penetration testing concepts such as threat modeling, intrusion test, infrastructure security threat, and more, in combination with advanced concepts such as Python scripting for automation.
Once you are done learning the basics, you will discover end-to-end implementation of tools such as Metasploit, Burp Suite, and Kali Linux. Many companies deliver projects into production by using either Agile or Waterfall methodology. This book shows you how to assist any company with their SDLC approach and helps you on your journey to becoming an application security specialist.
By the end of this book, you will have hands-on knowledge of using different tools for penetration testing. What you will learn Learn how to use Burp Suite effectively Use Nmap, Metasploit, and more tools for network infrastructure tests Practice using all web application hacking tools for intrusion tests using Kali Linux Learn how to analyze a web application using application threat modeling Know how to conduct web intrusion tests Understand how to execute network infrastructure tests Master automation of penetration testing functions for maximum efficiency using Python Who this book is for Practical Web Penetration Testing is for you if you are a security professional, penetration tester, or stakeholder who wants to execute penetration testing using the latest and most popular tools.
Basic knowledge of ethical hacking would be an added advantage. The Art of Network Penetration Testing is a guide to simulating an internal security breach.
Summary Penetration testing is about more than just getting through a perimeter firewall. The biggest security threats are inside the network, where attackers can rampage through sensitive data by exploiting weak access controls and poorly patched software. Designed for up-and-coming security professionals, The Art of Network Penetration Testing teaches you how to take over an enterprise network from the inside. It lays out every stage of an internal security assessment step-by-step, showing you how to identify weaknesses before a malicious invader can do real damage.
About the technology Penetration testers uncover security gaps by attacking networks exactly like malicious intruders do. To become a world-class pentester, you need to master offensive security concepts, leverage a proven methodology, and practice, practice, practice. Th is book delivers insights from security expert Royce Davis, along with a virtual testing environment you can use to hone your skills. About the book The Art of Network Penetration Testing is a guide to simulating an internal security breach.
What's inside Set up a virtual pentest lab Exploit Windows and Linux network vulnerabilities Establish persistent re-entry to compromised targets Detail your findings in an engagement report About the reader For tech professionals.
No security experience required. About the author Royce Davis has orchestrated hundreds of penetration tests, helping to secure many of the largest companies in the world. This is an easy-to-follow guide, full of hands-on and real-world examples of applications.
Each of the vulnerabilities discussed in the book is accompanied with the practical approach to the vulnerability, and the underlying security issue.
This book is intended for all those who are looking to get started in Android security or Android application penetration testing. Stop manually analyzing binary! Practical Binary Analysis is the first book of its kind to present advanced binary analysis topics, such as binary instrumentation, dynamic taint analysis, and symbolic execution, in an accessible way.
As malware increasingly obfuscates itself and applies anti-analysis techniques to thwart our analysis, we need more sophisticated methods that allow us to raise that dark curtain designed to keep us out--binary analysis can help. The goal of all binary analysis is to determine and possibly modify the true properties of binary programs to understand what they really do, rather than what we think they should do.
While reverse engineering and disassembly are critical first steps in many forms of binary analysis, there is much more to be learned. This hands-on guide teaches you how to tackle the fascinating but challenging topics of binary analysis and instrumentation and helps you become proficient in an area typically only mastered by a small group of expert hackers.
It will take you from basic concepts to state-of-the-art methods as you dig into topics like code injection, disassembly, dynamic taint analysis, and binary instrumentation. You'll then go on to implement profiling tools with Pin and learn how to build your own dynamic taint analysis tools with libdft and symbolic execution tools using Triton. You'll learn how to: - Parse ELF and PE binaries and build a binary loader with libbfd - Use data-flow analysis techniques like program tracing, slicing, and reaching definitions analysis to reason about runtime flow of your programs - Modify ELF binaries with techniques like parasitic code injection and hex editing - Build custom disassembly tools with Capstone - Use binary instrumentation to circumvent anti-analysis tricks commonly used by malware - Apply taint analysis to detect control hijacking and data leak attacks - Use symbolic execution to build automatic exploitation tools With exercises at the end of each chapter to help solidify your skills, you'll go from understanding basic assembly to performing some of the most sophisticated binary analysis and instrumentation.
Practical Binary Analysis gives you what you need to work effectively with binary programs and transform your knowledge from basic understanding to expert-level proficiency. An ethical introduction to social engineering, an attack technique that leverages psychology, deception, and publicly available information to breach the defenses of a human target in order to gain access to an asset. Social engineering is key to the effectiveness of any computer security professional.
Practical Social Engineering teaches you how to leverage human psychology and publicly available information to attack a target. The book includes sections on how to evade detection, spear phish, generate reports, and protect victims to ensure their well-being.
You'll learn how to collect information about a target and how to exploit that information to make your attacks more effective. You'll also learn how to defend yourself or your workplace against social engineering attacks.
Case studies throughout offer poignant examples such as how the author was able to piece together the details of a person's life simply by gathering details from an overheard restaurant conversation. Gray walks you through the sometimes difficult decision making process that every ethical social engineer must go through when implementing a phishing engagement including how to decide whether to do things manually or use automated tools; even how to set up your web server and build other technical tools necessary to succeed.
With over services available to over 44 geographic regions, it would take a library of books to cover the entire Azure ecosystem. Written by a Microsoft MVP and Microsoft Certified Azure Solutions Architect, Microsoft Azure For Dummies covers building virtual networks, configuring cloud-based virtual machines, launching and scaling web applications, migrating on-premises services to Azure, and keeping your Azure resources secure and compliant.
Migrate your applications and services to Azure with confidence Manage virtual machines smarter than you've done on premises Deploy web applications that scale dynamically to save you money and effort Apply Microsoft's latest security technologies to ensure compliance to maintain data privacy With more and more businesses making the leap to run their applications and services on Microsoft Azure, basic understanding of the technology is becoming essential.
Microsoft Azure For Dummies offers a fast and easy first step into the Microsoft public cloud. The definitive guide to hacking the world of the Internet of Things IoT -- Internet connected devices such as medical devices, home assistants, smart home appliances and more. Drawing from the real-life exploits of five highly regarded IoT security researchers, Practical IoT Hacking teaches you how to test IoT systems, devices, and protocols to mitigate risk. The book begins by walking you through common threats and a threat modeling framework.
Skip to content. Pentesting Azure Applications. Pentesting Azure Applications Book Review:. Penetration Testing Azure for Ethical Hackers. Hands on Penetration Testing for Web Applications.
Briggs Book Review:. Penetration Testing. By the end of this penetration testing book, you'll have become well-versed in a variety of ethical hacking techniques for securing your AWS environment against modern cyber threats. What you will learn Set up your AWS account and get well-versed in various pentesting services Delve into a variety of cloud pentesting tools and methodologies Discover how to exploit vulnerabilities in both AWS and applications Understand the legality of pentesting and learn how to stay in scope Explore cloud pentesting best practices, tips, and tricks Become competent at using tools such as Kali Linux, Metasploit, and Nmap Get to grips with post-exploitation procedures and find out how to write pentesting reports Who this book is for If you are a network engineer, system administrator, or system operator looking to secure your AWS environment against external cyberattacks, then this book is for you.
Ethical hackers, penetration testers, and security consultants who want to enhance their cloud security skills will also find this book useful. No prior experience in penetration testing is required; however, some understanding of cloud computing or AWS cloud is recommended. The Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, the tool can be hard to grasp for first-time users.
Metasploit: The Penetration Tester's Guide fills this gap by teaching you how to harness the Framework and interact with the vibrant community of Metasploit contributors. Learn how to: —Find and exploit unmaintained, misconfigured, and unpatched systems —Perform reconnaissance and find valuable information about your target —Bypass anti-virus technologies and circumvent security controls —Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery —Use the Meterpreter shell to launch further attacks from inside the network —Harness standalone Metasploit utilities, third-party tools, and plug-ins —Learn how to write your own Meterpreter post exploitation modules and scripts You'll even touch on exploit discovery for zero-day research, write a fuzzer, port existing exploits into the Framework, and learn how to cover your tracks.
Whether your goal is to secure your own networks or to put someone else's to the test, Metasploit: The Penetration Tester's Guide will take you there and beyond.
Penetration testers simulate cyber attacks to find security weaknesses in networks, operating systems, and applications. Information security experts worldwide use penetration techniques to evaluate enterprise defenses. In Penetration Testing, security expert, researcher, and trainer Georgia Weidman introduces you to the core skills and techniques that every pentester needs. With its collection of hands-on lessons that cover key tools and strategies, Penetration Testing is the introduction that every aspiring hacker needs.
Over 80 recipes to master IoT security techniques. About This Book Identify vulnerabilities in IoT device architectures and firmware using software and hardware pentesting techniques Understand radio communication analysis with concepts such as sniffing the air and capturing radio signals A recipe based guide that will teach you to pentest new and unique set of IoT devices.
Prior knowledge of basic pentesting would be beneficial. What You Will Learn Set up an IoT pentesting lab Explore various threat modeling concepts Exhibit the ability to analyze and exploit firmware vulnerabilities Demonstrate the automation of application binary analysis for iOS and Android using MobSF Set up a Burp Suite and use it for web app testing Identify UART and JTAG pinouts, solder headers, and hardware debugging Get solutions to common wireless protocols Explore the mobile security and firmware best practices Master various advanced IoT exploitation techniques and security automation In Detail IoT is an upcoming trend in the IT industry today; there are a lot of IoT devices on the market, but there is a minimal understanding of how to safeguard them.
If you are a security enthusiast or pentester, this book will help you understand how to exploit and secure IoT devices. This book follows a recipe-based approach, giving you practical experience in securing upcoming smart devices. It starts with practical recipes on how to analyze IoT device architectures and identify vulnerabilities.
Then, it focuses on enhancing your pentesting skill set, teaching you how to exploit a vulnerable IoT device, along with identifying vulnerabilities in IoT device firmware. Next, this book teaches you how to secure embedded devices and exploit smart devices with hardware techniques.
Moving forward, this book reveals advanced hardware pentesting techniques, along with software-defined, radio-based IoT pentesting with Zigbee and Z-Wave. Finally, this book also covers how to use new and unique pentesting techniques for different IoT devices, along with smart devices connected to the cloud. By the end of this book, you will have a fair understanding of how to use different pentesting techniques to exploit and secure various IoT devices.
Style and approach This recipe-based book will teach you how to use advanced IoT exploitation and security automation. A complete pentesting guide facilitating smooth backtracking for working hackers About This Book Conduct network testing, surveillance, pen testing and forensics on MS Windows using Kali Linux Gain a deep understanding of the flaws in web applications and exploit them in a practical manner Pentest Android apps and perform various attacks in the real world using real case studies Who This Book Is For This course is for anyone who wants to learn about security.
Basic knowledge of Android programming would be a plus. What You Will Learn Exploit several common Windows network vulnerabilities Recover lost files, investigate successful hacks, and discover hidden data in innocent-looking files Expose vulnerabilities present in web servers and their applications using server-side attacks Use SQL and cross-site scripting XSS attacks Check for XSS flaws using the burp suite proxy Acquaint yourself with the fundamental building blocks of Android Apps in the right way Take a look at how your personal data can be stolen by malicious attackers See how developers make mistakes that allow attackers to steal data from phones In Detail The need for penetration testers has grown well over what the IT industry ever anticipated.
Running just a vulnerability scanner is no longer an effective method to determine whether a business is truly secure. This learning path will help you develop the most effective penetration testing skills to protect your Windows, web applications, and Android devices. The first module focuses on the Windows platform, which is one of the most common OSes, and managing its security spawned the discipline of IT security.
Kali Linux is the premier platform for testing and maintaining Windows security. Employs the most advanced tools and techniques to reproduce the methods used by sophisticated hackers. In this module first,you'll be introduced to Kali's top ten tools and other useful reporting tools.
Then, you will find your way around your target network and determine known vulnerabilities so you can exploit a system remotely. You'll not only learn to penetrate in the machine, but will also learn to work with Windows privilege escalations. The second module will help you get to grips with the tools used in Kali Linux 2.
You will also use an automated technique called fuzzing so you can identify flaws in a web application. Finally, you'll understand the web application vulnerabilities and the ways they can be exploited. In the last module, you'll get started with Android security. Android, being the platform with the largest consumer base, is the obvious primary target for attackers. You'll begin this journey with the absolute basics and will then slowly gear up to the concepts of Android rooting, application security assessments, malware, infecting APK files, and fuzzing.
You'll gain the skills necessary to perform Android application vulnerability assessments and to create an Android pentesting lab. Imran Style and approach This course uses easy-to-understand yet professional language for explaining concepts to test your network's security.
The Art of Network Penetration Testing is a guide to simulating an internal security breach. Summary Penetration testing is about more than just getting through a perimeter firewall. The biggest security threats are inside the network, where attackers can rampage through sensitive data by exploiting weak access controls and poorly patched software.
Designed for up-and-coming security professionals, The Art of Network Penetration Testing teaches you how to take over an enterprise network from the inside. It lays out every stage of an internal security assessment step-by-step, showing you how to identify weaknesses before a malicious invader can do real damage.
About the technology Penetration testers uncover security gaps by attacking networks exactly like malicious intruders do. To become a world-class pentester, you need to master offensive security concepts, leverage a proven methodology, and practice, practice, practice. Th is book delivers insights from security expert Royce Davis, along with a virtual testing environment you can use to hone your skills.
About the book The Art of Network Penetration Testing is a guide to simulating an internal security breach. What's inside Set up a virtual pentest lab Exploit Windows and Linux network vulnerabilities Establish persistent re-entry to compromised targets Detail your findings in an engagement report About the reader For tech professionals.
No security experience required. About the author Royce Davis has orchestrated hundreds of penetration tests, helping to secure many of the largest companies in the world. This is an easy-to-follow guide, full of hands-on and real-world examples of applications. Each of the vulnerabilities discussed in the book is accompanied with the practical approach to the vulnerability, and the underlying security issue.
This book is intended for all those who are looking to get started in Android security or Android application penetration testing. Stop manually analyzing binary! Practical Binary Analysis is the first book of its kind to present advanced binary analysis topics, such as binary instrumentation, dynamic taint analysis, and symbolic execution, in an accessible way. As malware increasingly obfuscates itself and applies anti-analysis techniques to thwart our analysis, we need more sophisticated methods that allow us to raise that dark curtain designed to keep us out--binary analysis can help.
The goal of all binary analysis is to determine and possibly modify the true properties of binary programs to understand what they really do, rather than what we think they should do. While reverse engineering and disassembly are critical first steps in many forms of binary analysis, there is much more to be learned. This hands-on guide teaches you how to tackle the fascinating but challenging topics of binary analysis and instrumentation and helps you become proficient in an area typically only mastered by a small group of expert hackers.
It will take you from basic concepts to state-of-the-art methods as you dig into topics like code injection, disassembly, dynamic taint analysis, and binary instrumentation. B print DDC Azure is a trademark of Microsoft. Other product and company names mentioned herein may be the trademarks of their respective owners.
Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.
While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. About the Author Matt Burrough is a senior penetration tester on a corporate red team at a large software company, where he assesses the security of cloud computing services and internal systems.
He frequently attends hacker and information security conferences. About the Technical Reviewer Tom Shinder is a cloud security program manager for one of the big three public cloud service providers. He is responsible for security technical content and education, customer engagements, and competitive analysis. He has presented at many of the largest security conferences on topics related to both on-premises and public cloud security and architecture.
He was a practicing neurologist prior to changing careers in the s. To my amazing wife, Megan, who inspires me and supports me in all my crazy endeavors. And to my mom, who made me the writer I am today.
Brief Contents Foreword by Thomas W. Shinder, MD. What This Book Is About. How This Book Is Organized. Clouds Are Reasonably Secure by Default. Getting Permission. Scope the Assessment. Notify Microsoft. Be Aware of and Respect Local Laws. Azure Service Management. Azure Resource Manager. Obtaining Credentials. Using Mimikatz. Capturing Credentials. Factors Affecting Success. Best Practices: Usernames and Passwords.
Usernames and Passwords. Searching Unencrypted Documents. Guessing Passwords. Best Practices: Management Certificates. Finding Management Certificates. Publish Settings Files. Reused Certificates. Configuration Files. Cloud Service Packages. Best Practices: Protecting Privileged Accounts. Using Certificate Authentication. Using a Service Principal or a Service Account. Accessing Cookies. Utilizing Smartcards.
Stealing a Phone or Phone Number. Prompting the User for 2FA. On Windows. On Linux or macOS. Running Your Tools. Service Models. Best Practices: PowerShell Security. Authenticating with Management Certificates. Installing the Certificate. Connecting and Validating Access.
Best Practices: Service Principals. Authenticating with Service Principals. Using Service Principals with Passwords. Authenticating with X. Best Practices: Subscription Security. Gathering Subscription Information. Viewing Resource Groups. Gathering Information on Virtual Machines. Gathering Information on Networking.
Network Interfaces. Consolidated PowerShell Scripts. ASM Script. ARM Script. Accessing Storage Accounts. Storage Account Keys. User Credentials. SAS Tokens. Where to Find Storage Credentials. Finding Keys in Source Code. Identifying the Storage Mechanisms in Use. Accessing Blobs. Accessing Tables. Accessing Queues.
Accessing Files. Best Practices: VM Security. Virtual Hard Disk Theft and Analysis. Downloading a VHD Snapshot. Exploring the VHD with Autopsy. Importing the VHD. Analyzing Windows VHDs. Analyzing Linux VHDs. Cracking Password Hashes. Dictionary Attacks. Brute-Force Attacks. Hybrid Attacks. Rainbow Table Attacks. Weaknesses in Windows Password Hashes.
Password Hash Attack Tools. Testing Hashes with hashcat. Determining the Hostname. Finding a Remote Administration Service. Downsides to Password Resets. Avoiding Firewalls. Virtual Machine Firewalls. Azure SQL Firewalls. Azure Web Application Firewalls. Cloud-to-Corporate Network Bridging. Virtual Private Networks. Service Bus. Logic Apps. Examining Azure Key Vault. Displaying Secrets.
Displaying Keys. Displaying Certificates. Targeting Web Apps. Deployment Methods. Obtaining Deployment Credentials. Best Practices: Automation. Leveraging Azure Automation. Obtaining Automation Assets. Hybrid Workers. Operations Management Suite. Setting Up OMS. Reviewing Alerts in OMS. Secure DevOps Kit. Custom Log Handling. Better would be the pendulum. A topic captures the imagination of a population for a period of time, and then as the pendulum moves in the other direction, that population loses interest in the topic.
It just gets buried by new issues du jour. The mids were a heyday for security professionals. Everyone wanted to be a security specialist, and the fields were green for them. The threat environment was relatively unsophisticated, and even simple methods for shoring up defenses made a big difference. IT security or cybersecurity is, at its core, about detecting, defending against, and responding to threats to your IT infrastructure, services, technologies, and data. The view you take on each of these areas might be used to define you as either a defender or an attacker.
The cop and the criminal each must be aware of what the other knows and how they act on what they know. Cops who have no insights into criminal motivations and behavior are going to have a very low collar rate.
Criminals who want to stay in the game have to know the strategies and tactics used by the cops. The attacker is the one trying to find flaws and misconfigurations in either the IT systems or the people who manage those systems. For an attacker, success leads to unauthorized access to the systems and the data contained in them. Matt Burrough addresses penetration testing, or pentesting, in this book.
A pentester acts in the role of an attacker but without the criminal intent and potentially destructive results. A good pentester knows what cyber-criminals know and also what IT defenders know. The pentester wears a white hat but understands the capabilities and motivations of black and gray hats. The core value, and the best and most positive influence this text will have, is in its support of the defender perspective.
In the pages that follow, Matt walks you through a number of pentesting scenarios that will help you find security issues that need to be addressed in Azure-based IT solutions. Note that these are weaknesses in the solutions set up by Azure customers, not in the Azure Fabric itself; no one outside of Microsoft is allowed to pentest the Azure Fabric infrastructure. The documentation provides basic descriptions of the services and, at times, a few code xvi Foreword snippets—it is not meant to educate.
Matt helps you experience pentesting and IT security from the perspective of the jockey, so buckle up! A sign of a true sensei! Okay, enough of the sales pitch! Of course, you can read any chapter you like in any order you like, but I recommend that you start at the beginning—with the introduction. Thomas W. My family— my wife, Megan, for all the love and support in this and every other part of our lives; my mom, for giving me my work ethic and love of prose; and my stepdad, for encouraging me to pursue technology and for sharing his ethics.
And thanks to everyone else in my family who encouraged me through the years. Finally, thanks to our furry family for providing snuggles and playing fetch when I felt stuck. Professionally, I owe much to my manager Eric Leonard. He gave me a chance to make my long-desired jump from IT and software engineering to infosec, and encouraged me to write this book.
I also appreciate the thorough feedback and constant encouragement from my friend, Johannes Hemmerlein. Finally, thank you to the Azure team as a whole—you have created a truly great product, and make my job as a pentester difficult. Bill Pollock, thank you for taking a chance on a first-time author, for providing all the valuable feedback on my manuscript, and especially for being such a huge part of the infosec community and publishing books I want to read.
Zach Lebowski, thank you for your editing. Finally, thanks to Jonny Thomas for the wonderful cover and to Bart Reed for the copyedits. Derek Anderson, thanks for always being there for me, being a great teammate and dear friend, getting me my first Shmoocon ticket, and giving me a place to crash for the con.
Bill Stackpole, thanks for the great courses, the recommendations for grad school, and for my love of Turkish coffee. In other words, companies only need to pay for the capacity in use, and they can quickly scale up resources if a new service becomes an overnight success.
Of course, there are tradeoffs, and the one usually brought up first is security. Application architects and managers commonly speculate about the security of their solutions. Unfortunately, experience with the cloud—and developing threat models for it, in particular—is still lacking in many organizations.
We need penetration testing to validate the assumptions and design decisions that go into these projects, and although a number of excellent texts on penetration testing are available, few cover issues unique to cloud-hosted services. I describe how to use such tools in this book not to enable criminals—they already leverage these techniques—but to make sure legitimate pentesters are checking for many of the common threat vectors cloud service customers can expect to encounter. Before introducing most major topics, I cover some of the best practices that IT professionals and developers can use to protect their deployments from attackers.
For example, if you want a guide to attacking the underlying hardware xxii Introduction and software that run Azure called Azure Fabric , a complete reference to Azure, or an assessment to other cloud providers, then you may need to look somewhere else.
This book assumes you have a basic understanding of penetration testing tools and techniques. Warning Not all techniques described in other penetration testing guides may be appropriate or permitted when testing cloud environments.
How This Book Is Organized I organized this book so it follows the typical workflow of one of my Azurefocused penetration tests, but you might not need every chapter on every security project. Not every customer will utilize all of the Azure services I cover in this book; most will only rely on a subset of the services Azure offers. You can always come back to it another time.
It also highlights a few useful thirdparty tools, and then moves on to examining specific services in Azure. Chapter 4: Examining Storage discusses the best ways to gain access to Azure Storage accounts and how to view their contents. Chapter 6: Investigating Networks describes the security of various network technologies such as firewalls, virtual private network VPN connections, and other bridging technologies that can link a subscription to a corporate network.
Chapter 8: Monitoring, Logs, and Alerts reviews Azure security logging and monitoring. Introduction xxiii Finally, a glossary defines important terms for your reference. Because Azure is a Microsoft product, many of these tools run exclusively on Windows.
Windows 7 is the minimum necessary version, but you should expect updated tools to require newer versions of Windows. If possible, try to use the most up-to-date version for best tool compatibility. A bit mundane, right? I can think of no penetration tester who prefers the paperwork part of the job to the hacking portion. That said, some preparation work is required to pull off a successful test and not end up in a world of trouble.
Without proper planning and notifications, your penetration testing could violate laws or legal agreements, potentially ending your infosec career. I promise, a small amount of pre-work can be completed quickly and will result in a better-quality penetration test that will cement your place among the top tier of security professionals—so read on, friend!
This chapter focuses on the steps needed to properly design and launch a cloud-focused penetration test. A Hybrid Approach With more and more corporations placing parts of their IT infrastructure in the cloud, it has become hard to differentiate internal applications from public-facing services.
Whenever I see such a request, I always push to increase the scope of the test to cover both the cloud portion and any related on-premises components, including non-cloud-based data stores, user accounts for employees working on the cloud projects, employee workstations, and test environments.
Sure, a lot of services look and seem similar to what used to run inside of the corporation, but many behave slightly differently from what users have grown accustomed to. When these differences are ignored or misunderstood, it can lead to vulnerabilities that attackers can exploit. Additionally, the most common security architecture in the s and s was to place everything on a trusted internal network and then put all the security around the perimeter.
This layout looked a lot like a castle of old—and just like the castle, changing technology has rendered it obsolete. Absent this knowledge, it is common to run into all kinds of poorly conceived cloud deployments. Clouds Are Reasonably Secure by Default This may seem a bit strange to read in a book about pentesting cloud services, but it is true: clouds are reasonably secure by default.
Providers have base images that have firewalls turned on, antivirus pre-installed, and only one administrator present. For example, perhaps the administrator of that VM reuses their password all over the place. My personal favorite is when an administrator leaves the password they use to connect 2 Chapter 1 to the cloud platform sitting in a text file on a network share. An assessment with this kind of limited scope will give those requesting the test the wrong impression that their cloud assets are impenetrable.
In reality, a black hat malicious attacker would use any of these methods to gain the desired access. So too are our corporate networks, cloud services, and the internet. Frequently in my testing, I will use a foothold on a corporate workstation to gain access to a cloud service. Getting Permission Once the scope of the assessment has been established, the next step is to obtain the required permission. After all, without permission, a penetration test could be considered black hat hacking.
Therefore, it is important to follow the steps discussed in this section. Scope the Assessment Establishing a thorough scope that defines exactly which systems will be targeted, which methods will be used, and when the assessment will take place, and having it approved by all parties, is crucial to any penetration test.
That said, scoping a penetration test with a cloud component is significantly more important. Whereas when working on a corporate network you are likely to be directly impacting only your target organization, in the cloud a poorly planned scope could result in an attack against a different customer of the same cloud service provider or even the provider itself! That sounds like the beginning of an international incident I would desperately want to avoid.
Preparation 3 For that reason, I suggest forgoing black box testing where the tester has very limited or no knowledge of the targets at the beginning of the test.
Doing a broad scan against one of these IPs would be a definite rule violation. Another important consideration when developing your scope is organizational policy. For external testers, this includes the rules of both your firm and the target organization. A number of large companies have internal procedures that dictate what is out of bounds in security testing and sometimes, what must be included.
Violating these mandates can end your employment, or worse. If you identify a method or service that is forbidden but that you feel is crucial to an accurate assessment, be sure to bring up your concerns with management, corporate attorneys, and the policy authors.
You may end up with an exemption; at worst, you can document and explain the omission in your final report. Notify Microsoft Once the scope is complete, you may need permission from the cloud provider—in our case, Microsoft. Each provider has its own set of rules that restrict the types of penetration testing permitted and what notification needs to be given, if any. As of this writing, submitting the notification form and receiving confirmation from Microsoft is suggested, though not required.
For all other testing, it is best to submit notice. Note that a penetration test period can be at most six months in length. For longer tests, the form will need to be resubmitted. Figure The Azure penetration test notification form The form also requires you to acknowledge and accept the testing terms and conditions. Here are a few key takeaways from these rules: Test only subscriptions you have explicit permission to test.
Testing will be approved only for subscriptions that you or your company own, or those that you have explicit permission from the owner to test. This rule is easy to follow. Just be sure to have a solid scoping agreement, send the scope of the test to the Azure security team using the form, and then follow it! Preparation 5 Perform only the testing you described in the form. Do not target Microsoft services or those of other customers.
Just remember that resources are a bit fluid in the cloud: servers may be shared and IPs can change. When in doubt, confirm a target is owned by your employer before proceeding, and double-check that you received acknowledgment from Microsoft. Warning For Platform as a Service PaaS resources, such as Azure Web Apps, the underlying server may be hosting websites for multiple customers, and these are therefore off limits for host-based attacks. This is what makes scoping in the cloud so much more complicated than in on-premises environments.
If you find a flaw in Azure itself, report it to Microsoft. Microsoft is fairly strict with this last point—you are required to report any identified Azure Fabric vulnerabilities within 24 hours and must not disclose them elsewhere for 90 days.
Finding such a bug means a bit of additional work, but it can also mean a decent payout, plus public recognition from Microsoft. The letter should clearly state who the testers are, the scope of the activities you are authorized to perform, and the start and end dates of the test.
It should be signed by the penetration test lead, a high-level manager at the company being assessed, and, if the penetration tester is external to that organization, a manager at the firm performing the test. Ideally, the letter should also contain some means to validate that it is legitimate and not forged, such as contact information for the managers.
Although these letters are most useful when an assessment of physical security is being performed, I like to have one even when a physical evaluation is not in scope for a test.
Ed also offers this excellent advice to his students: have your lawyer review your letter as well as any contracts and other agreements related to penetration testing. What works for one organization in one location might not work for you. If you are an independent contractor, retain counsel to represent you. Hacking even with permission is a risky business. Be Aware of and Respect Local Laws Speaking of consulting with lawyers, work with your counsel to determine if any national, regional, or local laws may restrict the types of activities you can perform in a penetration test or if special care needs to be taken for any particular servers or types of data.
For example, some regulations require that customers or patients be notified if their financial or medical records are accessed improperly. Does access by a penetration tester fall under these disclosure requirements? It is far better to ask an attorney than to make an assumption. Additionally, be concerned with not only the location of the penetration tester but also that of the target servers, target corporation headquarters and field offices, and, if applicable, the security firm performing the test.
This can be particularly tricky when looking at cloud resources. After all, what if a server is migrated between regions during your testing? It may not be apparent that anything has happened, but suddenly your target is in a new country with vastly different laws.
Be sure to discuss this concern with your client when scoping the test to ensure that you are aware of any possible localities its services may reside in during the assessment window.
If a customer wants to test a system that resides in a country with unfavorable penetration testing regulations, the customer might even consider migrating the resources to a different region during the test. Preparation 7 Summary In this chapter, I discussed the importance of testing cloud services and the company network simultaneously to ensure the best coverage. I also discussed how to notify or get permission from all the relevant parties before performing a penetration test and how to avoid the criminal justice system.
This chapter focuses on how to obtain credentials for an Azure subscription from a legitimate user or service.
We start by looking at the different mechanisms Azure uses to control access to subscriptions, and how deployments and permissions are managed.
Next, we cover common places where Azure credentials can be found, and how to capture them. Finally, we look at two-factor authentication, which may be in use to provide additional protection for a subscription, and then examine several ways it can be circumvented. Although both models can coexist for any given subscription, each resource in a particular subscription uses only one model. Likewise, running the newer Azure PowerShell commands will typically give you access only to modern resources.
Azure Service Management Azure Service Management is the original design for deploying and interacting with Azure resources. The first two roles are limited to one each per subscription. Both can be assigned to a single user, if desired.
0コメント